• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Does anyone use CrowdSec with Plesk?

herrMartin

herrMartin

New Pleskian
Server operating system version
CentOS Linux 7.9.2009 (Core)
Plesk version and microupdate number
Plesk Obsidian Version 18.0.45 Update #2
I am using Crowdsec on another non Plesk VPS in a docker environment with everything behind Traefik. I am super happy with this solution, especially with Crowdsec which replaces a lot of other expensive, slower security solutions.
Is anyone using Crowdsecwith Plesk and CentOS 7? Any recommendations for the setup. Just asking because often with Plesk there are special headaches.

www.crowdsec.net

CrowdSec - The open-source & collaborative IPS

CrowdSec is an open-source and collaborative security stack leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Join the community and let's make the Internet safer, together.
www.crowdsec.net www.crowdsec.net
 
Thanks for reminding me ;-)

I tried CrowdSec a year ago and decided not to use it. I can't remember the reason why. I guess because it wasn't really active at that time. Low install/downloads etc.

I gave it another shot and installed it on a Plesk AlmaLinux 8.7 server.
Added a few test subscriptions logs:
Code: 
# mkdir /etc/crowdsec/acquis.d
# cat /etc/crowdsec/acquis.d/plesk.yaml
filenames:
  - /var/www/vhosts/system/domain1.com/logs/proxy_access_ssl_log
  - /var/www/vhosts/system/domain1.com/logs/access_ssl_log
  - /var/www/vhosts/system/domain2.com/logs/proxy_access_ssl_log
  - /var/www/vhosts/system/domain2.com/logs/access_ssl_log
labels:
  type: nginx
---

So far, it mostly blocks bad-user-agents:

Code: 
# cscli decisions list
╭───────┬──────────┬────────────────────────┬───────────────────────────────────┬────────┬─────────┬───────────────────────────────────┬────────┬────────────────────┬──────────╮
│  ID   │  Source  │ Scope:Value            │              Reason               │ Action │ Country │                AS                 │ Events │     expiration     │ Alert ID │
├───────┼──────────┼────────────────────────┼───────────────────────────────────┼────────┼─────────┼───────────────────────────────────┼────────┼────────────────────┼──────────┤
│ 22661 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 14061 DIGITALOCEAN-ASN            │ 2      │ 3h59m2.879054818s  │ 15       │
│ 22660 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m41.927612664s │ 14       │
│ 22659 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m41.178042482s │ 13       │
│ 22658 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m40.170986732s │ 12       │
│ 22657 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m39.172110935s │ 11       │
│ 22656 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ GB      │ 3170 VeloxServ Communications Ltd │ 2      │ 3h29m44.468924046s │ 10       │
│ 22655 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 398722 CENSYS-ARIN-03             │ 2      │ 3h22m53.773628827s │ 9        │
│ 22654 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 14061 DIGITALOCEAN-ASN            │ 2      │ 3h21m9.524985973s  │ 8        │
│ 4     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ NL      │ 202425 IP Volume inc              │ 2      │ 2h49m30.708270174s │ 4        │
│ 3     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 24940 Hetzner Online GmbH         │ 2      │ 2h34m41.664605675s │ 3        │
│ 2     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ GB      │ 3170 VeloxServ Communications Ltd │ 2      │ 2h28m48.78155151s  │ 2        │
│ 1     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-open-proxy     │ ban    │ NL      │ 202685 Aggros Operations Ltd.     │ 1      │ 2h13m20.342538872s │ 1        │
╰───────┴──────────┴────────────────────────┴───────────────────────────────────┴────────┴─────────┴───────────────────────────────────┴────────┴────────────────────┴──────────╯
 
Last edited:
on my docker / traefik vps I have secured two sites with it which were hammered with spam, bots, brute force attacks, etc and It gets the job done and gives me peace of mind. You can also realize quite easy geo-blocking with traefik and crowdsec. Something which IO haven't managed to do on my cent os 7 / plesk system.
 
Please do not forget the Apache and Plesk panel log files:

YAML: 
filenames:
  - /var/www/vhosts/system/*/logs/error_log
  - /var/www/vhosts/system/*/logs/access_log
  - /var/www/vhosts/system/*/logs/error_ssl_log
  - /var/www/vhosts/system/*/logs/access_ssl_log
  - /var/log/plesk/httpsd_access_log
  - /var/log/sw-cp-server/error_log
labels:
  type: apache2
 
You must log in or register to reply here.

Similar threads

H
Question Decommissioning a hacked Plesk/CentOS 7/Plesk web server, and migrating all sites to CentOS 7/Plesk
Replies
2
Views
946
Huey Tinman
H
Ross Edwards
Question CentOS -> RHEL without breaking Plesk?
Replies
3
Views
2K
stkl
S
burnley
Issue Obsidian on CentOS 7: Plesk generates broken Dovecot configuration if client tries to secure email with invalid ssl certificate
Replies
3
Views
2K
IgorG
IgorG
burnley
Forwarded to devs Obsidian on CentOS 7: Plesk generates broken Dovecot configuration if client tries to secure email with invalid ssl certificate
Replies
1
Views
1K
IgorG
IgorG
Endre
Issue Server Error 500 Plesk\Exception\Database DB query failed: SQLSTATE[HY000] [2002] No such file or directory
Replies
15
Views
8K
MihaiNecreala
M
Back
Top